Microsoft stores Windows 10 users’ encryption key

30 Dec 2015

Microsoft might be jeopardising users' data with its built-in disk encryption feature in Windows 10.

According to commentators, as Windows 10 was set to automatically upload users' recovery key to Microsoft's servers, it was vulnerable in the event of a security breach.

Windows 10 ships with a device encryption feature that was enabled by default, which ensured protection of users' data on the computer for those who used a Microsoft account (Outlook/Live email) as a method of signing in.

However, this also meant that Microsoft had users' encryption key, according to The Intercept.

If hackers accessed a Microsoft account, they could access this recovery key. Also, in case of an attack on Microsoft's server, the privacy of the user could also be compromised. There were several other scenarios in which unauthorised personnel could gain access to user computer's recovery key.

More expensive versions of Windows 10 - Pro and Enterprise – come with software installed called BitLocker, which allows users' to encrypt their device without sending the key to Microsoft. They could print it or save it to an external drive instead, however, this was not available to Windows Home users.

According to commentators, it was also possible for users to delete their key from Microsoft's servers once it had been uploaded. However, there was no way to avoid uploading it in the first place, which might put off most security-conscious users.